An integrated system theory of information security
management
Kwo-Shing Hong
Department of Management Information Systems, National Cheng-Chi University,
and Overall Planning Department, Control Yuan of Republic of China, Taiwan
Yen-Ping Chi
Department of Management Information Systems, National Cheng-Chi University,
Taiwan
Louis R. Chao
Institute of Management Science, Tamkang University, and Control Yuan of
Republic of China, Taiwan
Jih-Hsing Tang
Tak Ming College, Taipei, Taiwan
Keywords
Information systems,
Control systems,
Risk management,
Systems theory,
Contingency planning
Abstract
With the popularity of electronic
commerce, many organizations
are facing unprecedented security
challenges. Security techniques
and management tools have
caught a lot of attention from both
academia and practitioners.
However, there is lacking a
theoretical framework for
information security management.
This paper attempts to integrate
security policy theory, risk
management theory, control and
auditing theory, management
system theory and contingency
theory in order to build a
comprehensive theory of
information security management
(ISM). This paper suggests that an
integrated system theory is useful
for understanding information
security management, explaining
information security management
strategies, and predicting
management outcomes. This
theory may lay a solid theoretical
foundation for further empirical
research and application.
Information Management &
Computer Security
11/5 [2003] 243-248
# MCB UP Limited
[ISSN 0968-5227]
[DOI 10.1108/09685220310500153]
1. Introduction
Information is one of the most important
enterprise assets. For any organization,
information is valuable and should be
appropriately protected (BS 7799-2, 1999).
Security is to combine systems, operations
and internal controls to ensure the integrity
and confidentiality of data and operation
procedures in an organization. With the
advent of information technology, users'
roles in information systems have evolved
from IT specialists for access information
facilities, to non-IT personnel for regular
operations, to unspecified individuals from
outside. That is to say, with the serious
threat of unauthorized users on the Internet,
information security is facing unprecedented
challenges, and effective information
security management is one of the major
concerns (Eloff and Solms, 2000; Schultz et al.,
2001).
Although there is plenty of security
technology research, surprisingly few
information security management studies
are found in the literature. It wasn't until
1995, when the British Standard Institution
(BSI) established BS7799-1, ``Information
Security Management ± Part I: Code of
Practice for Information Security
Management'', that a more complete
management framework for information
security emerged. Because of the lack of
information security management theory,
there are few empirical studies conducted to
examine the effectiveness of management
strategies and tools. Thus, the authors would
like to combine five related theories
± information policy theory, risk
management theory, control and audit
theory, management system theory, and
contingency theory ± to develop an integrated
theory of information security management
(ISM) which may be used as a foundation for
The Emerald Research Register for this journal is available at
http://www.emeraldinsight.com/researchregister
further understanding managerial obstacles,
predicting managerial effectiveness and
modifying managerial strategies.
2. Literature review
2.1 Definitions and coverage
To begin with, information security is open
to many definitions. For example, the goal of
information security is mainly to detect and
prevent the unauthorized acts of computer
users (Gollmann, 1999). And the broad
objectives of a computer security policy are
to ensure the data confidentiality, integrity
and availability within information systems
(ISO/IEC 17799, 2000; Schultz et al., 2001;
Smith, 1989). Information security issues
cover information security policy, risk
analysis, risk management, contingency
planning and disaster recovery (Von Solms
et al., 1994). From users' perspective, if
software runs smoothly as they expect, the
system will be described as ``a secure system''
(Simson and Gene, 1991). Therefore,
information security is defined in this paper
as to apply any technical methods and
managerial processes on the information
resources (hardware, software and data) in
order to keep organizational assets and
personal privacy protected.
Information security management
contents also vary with different researchers
and institutions. For example, according to
Tudor (2001), there are five components for
any information security architecture:
1 security organization and infrastructure;
2 security policy, standards and procedures;
3 security baselines and risk assessments;
4 security awareness and training
programs; and
5 compliance.
Among these, security organization and
infrastructure is essential and crucial for
information security management. However,
The current issue and full text archive of this journal is available at
http://www.emeraldinsight.com/0968-5227.htm
[ 243 ]
Kwo-Shing Hong, Yen-Ping Chi,
Louis R. Chao and
Jih-Hsing Tang
An integrated system theory
of information security
management
Information Management &
Computer Security
11/5 [2003] 243-248
ISO/IEC 17799 gives a different scope for
information security management. It
includes:
.
information security policy establishment
and assessment;
.
information security organization and
responsibility;
.
personnel security management and
training;
.
computer system security management;
.
network security management;
.
system access control;
.
system development and maintenance
security management;
.
information assets security management;
.
physical and environment security
management; and
.
business planning and management.
2.2 Security policy theory
There is no consistent security policy theory
so far. However, several scholars declare that
information security could be achieved
through the establishment, implementation
and maintenance of information security
policy. For example, Kabay (1996) pointed out
that the establishment of information
security policy should include five
procedures, which are:
1 to assess and persuade top management;
2 to analyze information security
requirements;
3 to form and draft a policy;
4 to implement the policy; and
5 to maintain this policy.
The information security policy life cycle
proposed by Rees addressed four parts:
1 policy assessment;
2 risk assessment;
3 policy development and requirements
definition; and
4 review trends and operation management
(Gupta et al., 2001).
The e-policy proposed by Flynn (2001) covers:
.
comprehensive e-audit;
.
e-risk management policy;
.
computer security policy;
.
cyber insurance policy;
.
e-mail policy;
.
Internet policy; and
.
software policy.
To sum up, information security policy aims
at planning information security
requirements, forming consensus in an
organization, drafting and implementing a
policy, and reviewing the policy on a regular
basis in order to meet the demands of
organizational security requirements. This
theory could be expressed in terms of three
functions below:
1 Information security = f (information
security policy).
2 Information security policy = f
(establishment, implementation, and
[ 244 ]
maintenance of information security
policy).
3 Information security establishment = f
(organizational security requirements).
2.3 Risk management theory
Risk management theory suggests that
through organizational risk analysis and
evaluation, the threats and vulnerabilities
regarding information security could be
estimated and assessed. The evaluation
results could be used for planning
information security requirements and risk
control measures. The goal is to make
information security risk under an
acceptable level in an organization.
Wright (1999) pointed out that risk
management is a process of establishing and
maintaining information security within an
organization. The crux of risk management is
risk assessment; namely, through
information security risk assessment, an
organization could take appropriate
measures to protect information
cost-effectively. Reid and Floyd (2001)
proposed a ``risk analysis flow chart'', and
considered that an organization should
assess the threats and vulnerabilities of its
information assets. The goal of
organizational controls is to lower the risk to
an acceptable level.
The interplay of risk assessment and risk
control makes information security risk
under an acceptable level, and actualizes the
control procedures. Therefore, the
relationships could be expressed as follows:
.
Information security = f (risk assessment,
risk control, review and modification).
.
Risk assessment = f (risk analysis, risk
estimation).
.
Risk control = f (establishment of control
measures, implementation).
.
Risk analysis = f (threats, vulnerability).
.
Risk estimate = f (impact, asset appraisal).
2.4 Control and auditing theory
Control and auditing theory suggests that
organizations should establish information
security control systems; and after being
implemented, auditing procedures should be
conducted to measure the control
performance. Several researchers consider
information security management as a part
of control systems. For example, Weber (1999)
regarded control as a system of preventing,
detecting and correcting illegal events; so
there are preventive control systems,
detective control systems and corrective
control systems. ISO/IEC 17799 for
information security control includes:
.
security policy;
.
organizational security;
.
assets classification and control;
.
personnel security;
.
physical and environmental security;
communication and operation security;
access control;
system development and maintenance;
business continuity planning; and
compliance.
Kwo-Shing Hong, Yen-Ping Chi,
Louis R. Chao and
Jih-Hsing Tang
An integrated system theory
of information security
management
.
Information Management &
Computer Security
11/5 [2003] 243-248
COBIT is an IT management model, which is
based on two major internal control models:
``holistic operation control model'' and ``focus
on information technology control model.''
COBIT is a high-level guideline for IT
resources, including data, applications,
techniques, hardware and personnel. It
achieves organizational objectives through
balancing the risk, and directing and
controlling measures (COBIT, 1998).
Organizations should refer to information
security standards and establish information
security strategies in order to form IT
security control systems; and through the
implementation of these control systems,
information audit should be done regularly
in order to assess control performance. In
terms of control systems, information
security is determined by the following
functions:
.
Information security = f (establishment of
control systems, implementation of
control systems, information audit).
.
Establishment of control systems = f
(security strategies, security standards).
.
.
.
.
2.5 Management system theory
Management system theory emphasizes that
an organization should establish and
maintain a documented information security
management system (ISMS) to control and
protect information assets. ISMS include six
steps:
1 define the policy;
2 define the scope of ISMS;
3 undertake a risk assessment;
4 manage the risk;
5 select control objectives and control to be
implemented; and
6 prepare a statement of applicability
(BS 7799).
Based on the organizational requirements
and security strategies, Sherwood (1996)
proposed information security architecture
SALSA (Sherwood Associated Limited
Security Architecture) which includes:
.
business requirements;
.
major security strategies;
.
security services;
.
security mechanism; and
.
security products and technologies.
Organizations should inspect the
environments and security standards to
establish an information security policy,
define the scope of information security and
assess the risk and control in order to form
an information security management system.
Information security could be described in
the following functions:
.
.
.
Information security = f (information
security policy, the scope of information
security, risk management,
implementation).
Risk management = f (risk assessment,
risk control).
Information security policy = f
(environment inside and outside of an
organization, standards).
2.6 Contingency theory
For contingency theorists, information
security management is a part of contingency
management that is meant for the
prevention, detection and reaction to the
threats, vulnerabilities and impacts inside
and outside of an organization. To meet the
demands of a fast-changing environment, it is
reasonable for practitioners to take on one or
more information security management
measures, for example security policy
actions, risk management actions, control
and auditing actions or system management
actions, or to combine two or more of these
actions. Contingency approach is to
recognize and respond to situational
variables in order to attain organizational
objectives effectively (Drazin and Van de
Ven, 1985; Robbins, 1994). Contingency
management is to manage the interaction
between a set of environmental variables and
another set of technological and managerial
variables, and the goal is to strive for the
attainment of organizational objectives (Lee
et al., 1982; Luthans, 1976).
Contingency approach has been applied to
information security management. For
example, Von Solms et al. (1994) proposed an
information security model (ISM) which
consist of five information security levels:
1 ideal;
2 prescribed;
3 baseline;
4 current; and
5 survival.
Except for the ideal level, all the other four
levels are dynamic and contingent upon
environmental variables such as information
security threats, vulnerabilities and impact
for an organization.
The procedures for coping with
organizational information security
problems are most undefined since the
procedures are dependent upon several
situational variables. Therefore, to take on
policy-oriented managerial activities or risk
management activities is dependent upon an
organization's contingency strategy. The
contingency approach could be expressed in
the following functions:
.
Information security = f (information
security strategy).
.
Information security strategy = f (policy
orientation, risk management orientation,
[ 245 ]
Kwo-Shing Hong, Yen-Ping Chi,
Louis R. Chao and
Jih-Hsing Tang
An integrated system theory
of information security
management
Information Management &
Computer Security
11/5 [2003] 243-248
.
control and auditing orientation,
management systems orientation,
contingency management).
Contingency management = f
(organizational environment,
management, technology).
All the mentioned theories are categorized in
terms of main security managerial activities,
managerial procedures, characteristics and
literature, and are summarized in Table I.
3. An integrated theory
3.1 The construction of a theory
Theory construction is a creative process; it
develops concepts, constructs and
propositions at the same time (Kaplan, 1964).
There are two paths to theory building: first,
knowledge growth by intention; that is to
refine and modify a theory within a
well-developed domain; and second,
knowledge growth by extension; that is to
strive for a more complete explanation in a
smaller-scale theory, and then extend to
similar domains. The attempt in this paper is
to take the second path, five different
theories relating to information security
could be analyzed and compared below.
First, security policy, risk management,
control and auditing theories take different
cutting points in the process or stage of
information security management. For
example, security policy theory takes its
perspective from the ``policy stage''; however,
control and auditing theory focuses on
defining the ``control stage''.
Second, although five theories adopt
different cutting points, the ``ongoing''
information security management activities
are similar. Internal control received special
attention in all theories. Obviously, internal
control is an important measure to attain
information security objectives.
Third, except for contingency theory, all
other theories are top-down process-oriented,
but do not have applicable procedures.
Fourth, the five mentioned theories
emphasize a component or some components
of information security management, but
none cover the entire scope of information
security management. Even the management
system theory is more general, but is not
comprehensive enough to cover all the
information security management. Here we
highlight some limitations of the current
theories:
.
The ``top-down'' approach may not be
consistent with reality.
.
It is hard for structured methods to adapt
to highly dynamic environments.
.
Information security auditing is not
appropriately addressed, thus no
evaluation mechanisms could be applied
accordingly.
.
Management systems could not form a
periodic cycle.
.
Contingency theory does not have the
previous four limitations, but it lacks
comprehensive methods and procedures.
Table I
Summary of information security management theories
Theory
Managerial activities
Managerial procedures Characteristics
Source
Security policy
theory
Security policy establishment
Security policy implementation
Security policy maintenance
Sequential
Periodic
Policy is the main focus
Emphasize sequential, structured procedures
Flynn
Gupta et al.
Kabay
Risk management
theory
Risk assessment
Risk control
Review and modification
Sequential
Periodic
Understand and cope with insecure
environments
Ignore security policy and information audit
mechanisms
Overemphasize structures
Luthans
Wright
Control and auditing Establish control systems
theory
Implement control systems
Information auditing
Sequential
Periodic
Internal control and information audit is the
main focus; ignore security policy and risk
management
Lack of requirements planning and
contingency for the unexpected
ISO/IEC
17799
COBIT
Management system Establish security policy
theory
Define security scope
Risk management
Implementation
Sequential
Information auditing is ignored and the
implementation is affected
Lack of periodic check
Lack feedback
BS7799
Schultz et al.
Contingency theory
Contingency
Consider environments both outside and inside
of an organization, and choose appropriate
security strategies
Lack of integration and structures
Drazin et al.
Kaplan
Lee et al.
Tudor
[ 246 ]
Policy strategy
Risk management strategy
Control and audit strategy
Management system strategy
Kwo-Shing Hong, Yen-Ping Chi,
Louis R. Chao and
Jih-Hsing Tang
An integrated system theory
of information security
management
Information Management &
Computer Security
11/5 [2003] 243-248
Based upon the above analysis, the current
theories related with information security
management are restricted to some parts of
the management activities or mechanisms,
and could not be applicable to all security
management activities, not to mention that
no one is adaptable to highly dynamic
environments. Therefore, this paper is
intended to integrate these five theories to
build a more solid and comprehensive theory
named integrated system theory (IST).
3.2 Description of the IST
The IST is based on contingency
management and integrates information
security policy, risk management, internal
control and information auditing theories to
form an Information Security Architecture
that is consistent with organizational
objectives, as shown in Figure 1.
The characteristics of this theory are as
follows.
First, this theory is based on contingency
management. To meet the demands of
fast-changing environment, any component
of managerial activities could be the focus. It
is not recommended here to put an emphasis
on information security only.
Second, sequential management processes
and contingency processes are combined in
this theory. The sequential processes
originate from security policy, and then to
risk management, internal control to
information auditing. Contingency processes
originate from any security management
activities, and then proceed sequentially. For
example, contingency management could
begin at risk management, internal control
and then information auditing, and go back
to security policy in the long run.
Contingency management could include one
or more management activities.
Third, the information security
management forms a managerial cycle
periodically. However, contingency
processes could be independent from other
managerial activities, or could form a cycle
periodically. The periodic feedback could go
back to the original information security
management process or any previous
managerial activities.
Fourth, each security managerial activity
could proceed in a sequential order or could
be an input/output of the next activity.
Last, each security managerial activity is
tightly coupled with organizational
objectives.
The theory could be expressed in the
following functions:
.
Information security = f (information
security policy, risk management,
internal control, information auditing,
contingency management).
.
Internal control = f (personnel security
control, physical security control, systems
and network security control, access
control, system development and
maintenance control, business continuity
management).
.
Contingency management = f
(environment inside or outside of an
organization, information management,
information techniques).
A theory could be evaluated in terms of its
scope, parsimony, accuracy of explanation
and the precision of prediction. If a theory
could produce a more accurate prediction or
explain more with fewer variables, then it is
a useful one. The IST proposed in this paper
is more comprehensive, practical and useful;
however, further empirical studies have to be
conducted to consolidate the theory.
Figure 1
A diagrammatical illustration of integrated system theory
[ 247 ]
Kwo-Shing Hong, Yen-Ping Chi,
Louis R. Chao and
Jih-Hsing Tang
An integrated system theory
of information security
management
Information Management &
Computer Security
11/5 [2003] 243-248
4. Conclusion
Organizations nowadays rely heavily on
information technology and information
security has caught a great deal of attention;
however, few information security strategies
and guidelines could be found for
practitioners. This may result from a lack of
coherent and comprehensive information
security management theory. The paper
integrates different perspectives from
security policy, risk management, control
and auditing, management systems and
contingency theories and builds an IST,
which may lay a more solid foundation for
further empirical studies. The contribution
of this study is as follows:
.
It provides rich information security
strategies, procedures and theories for
researchers, information security
decision makers, planners, providers and
users; thereby they can get a better
understanding of information security in
terms of different perspectives.
.
It explains organizational behavior
regarding information security
management, and provides alternatives
for organizational security management
strategies.
.
The theory proposed in this paper could
be applied to predict the organizational
attitudes and behavior towards
information security management, and
could be beneficial for information
security decision making.
.
The theory could be a building block for
further information security management
researchers and be a guidance of future
empirical studies.
References
BS 7799-2 (1999), Information Security
Management Part 2: Specification for
Information Security Management Systems,
British Standards Institute, London.
COBIT (1998), COBIT: Control Objectives, ISACA,
Rolling Meadows, IL.
Drazin, R. and Van de Ven, A.H. (1985),
``Alternative forms of fit in contingency
theory'', Administrative Science Quarterly,
Vol. 30 No. 4, pp. 514-39.
Eloff, M.M. and Solms, S.H.V. (2000), ``Information
security management: an approach to
combine process certification and product
evaluation'', Computers & Security, Vol. 19
No. 3, pp. 698-709.
Flynn, N.L. (2001), The Epolicy Handbook:
Designing and Implementing Effective E-mail,
[ 248 ]
Internet and Software Policies, American
Management Association, New York, NY.
Gollmann, D.(1999), Computer Security, John
Wiley & Sons, New York, NY.
Gupta, M., Charturvedi, A.R., Metha, S. and
Valeri, L. (2001), ``The experimental analysis
of information security management issues
for online financial services'', ICIS 2000,
pp. 667-75.
ISO/IEC 17799 (2000), Information Technology
Code of Practice for Information Services,
International Organization for
Standardization, Geneva.
Kabay, M.E. (1996), The NCSA Guide to Enterprise
Security, McGraw-Hill, New York, NY.
Kaplan, A. (1964), The Conduct of Inquiry,
Chandler Co., New York, NY.
Lee, S.M., Luthans, F. and Olson, D.L. (1982),
``A management science approach to
contingency models of organizational
structure'', Academy of Management Journal,
Vol. 25 No. 3, pp. 553-66.
Luthans, F. (1976), Introduction to Management:
A Contingency Approach, McGraw-Hill,
New York, NY.
Reid, R.C. and Floyd, S.A. (2001), ``Extending the
risk analysis model to include market
insurance'', Computers & Security, Vol. 20
No. 4, pp. 331-9.
Robbins, S.P. (1994), Management, 4th ed.,
Prentice-Hall, Upper Saddle River, NJ.
Schultz, E.E., Proctor, R.W. and Lien, M.C. (2001),
``Usability and security: an appraisal of
usability issues in information security
methods'', Computers & Security, Vol. 20
No. 18, pp. 620-34.
Sherwood, J. (1996), ``SALSA: a method for
developing the enterprise security
architecture and strategy'', Computers &
Security, Vol. 2, pp. 8-17.
Simson, G. and Gene, S. (1991), Practical UNIX
Security, O'Reilly & Associates, Sebastopol,
CA.
Smith, M. (1989), ``Computer security ± threats,
vulnerabilities and countermeasures'',
Information Age, Vol. 11 No. 4, pp. 205-10.
Tudor, J.K. (2001), Information Security
Architecture, CRC Press, Boca Raton, FL.
Von Solms, R., Van Haar, H., Von Solms, S.H.
and Caelli, W.J. (1994), ``A framework for
information security evaluation'',
Information & Management, Vol. 26 No. 3,
pp. 143-53.
Weber, R. (1999), Information System Control
and Audit, Prentice-Hall, Englewood Cliffs,
NJ.
Wright, M. (1999), ``Third generation risk
management practices'', Computers &
Security, Vol. 1999 No. 2, pp. 9-12.